Privacy Notice

Introduction

Lavendon Group Limited (referred to as “Lavendon Group Limited”, “Nationwide Platforms”, “Loxam Pad”, “We, “Our” or “Us”), are committed to protecting the privacy and security of your Personal Data.

This Lavendon Group Privacy Notice applies to you if you are:

•   A service user of this website (https://www.loxampad.com/ or https://www.nationwideplatforms.co.uk/);
•   An employee, contractor or other associated party associated with Lavendon Group’s Affiliates;
•   An employee, contractor or other associated party associated with Lavendon Group’s Customers, or the Customers of Lavendon Group’s Affiliates;
•   An employee, contractor or other associated party contracted by Lavendon Group’s Service Providers, or the Service Providers of Lavendon Group’s Affiliates;
•   A member of the public whose Personal Data is processed for CCTV or related security measures; or,
•   Any other individual with whom Lavendon Group may conduct commercial operations.

We have developed this Privacy Notice to inform you of the data we collect, what we do with your information, what we do to keep it secure as well as the rights and choices you have over your Personal Data. It is important that you read this notice so that you are aware of how and why we are using such information.

Definitions

For the purposes of this Lavendon Group Privacy Notice:

Affiliate means an entity that controls, is controlled by, or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority;

Company (referred to as “Lavendon Group Limited”, “Nationwide Platforms”, “Loxam Pad”, “We, “Our” or “Us” in this Agreement) refers to Lavendon Group Limited, 15 Midland Court, Central Park, Lutterworth, Leicestershire, LE17 4PN; company number 02771891; ICO registration number Z7452317;

Cookies are small files that are placed on Your computer, mobile Device, or any other device by a website, containing the details of Your browsing history on that website among its many uses;

Customer means the entity identified in a contract with the Company as the party to receive commodities or contractual services pursuant to a contract or that orders commodities or contractual services via purchase order or other contractual instrument from the Company;

Data Controller means the entity which determines the purpose and means of processing Personal Data, and as defined in the Controllership section below;

Data Processor means the entity receiving instructions from the Controller, and as defined in the Controllership section below;

Data Protection Legislation means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom any amendments, replacements or renewals thereof, applicable to the processing of Personal Data, including where applicable the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020, the EU GDPR, the UK GDPR, UK Data Protection Act 2018, the FDPA, the CCPA and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426);

Device means any device that can access the Service such as a computer, a mobile phone, or a digital tablet;
Loxam Group the companies included in this are Lavendon Group Limited, Nationwide Platforms Limited, Zooom Holdings (UK) Limited, Lavendon Access Services (International) Limited, Blue Sky Topco Limited, UK Platforms Limited, BlueSky Solutions Limited, Access Solutions (UK) Limited, Loxam Access Limited (collectively in this document “the Companies”).

Personal Data is any information that relates to an identified or identifiable individual. For the purposes of both UK and EU GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity;

Service refers to the Company’s Website, unless otherwise stated;

Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analysing how the Service is used. For the purpose of both UK and EU GDPR, Service Providers are considered Data Processors;

Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit);

Website refers to the Lavendon Group Limited website, accessible from https://www.loxampad.com/; and,

You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable. Under both UK and EU GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

Controllership

Where the Company determines the purposes and means of processing Personal Data, the Company is the Data Controller. In this scenario, any Service Provider is a Data Processor of the Company.
Where a third party determines the purposes and means of processing Personal Data – such as may occur where the Customer provides the Company with information regarding the Customer’s employees and other agents – the Company is the Data Processor and the Customer, or any other entity that is determining the purposes and means of processing Personal Data, is the Data Controller. In this scenario, any Service Provider is a Data (Sub-) Processor of the Company.

How we collect information

•   We collect your Personal Data when:you provide it to us by contacting us, placing an order, completing registration forms, or signing up for content such as newsletters;
•   We collect it from your use of our Website, such as through cookies and other Usage Data;
•   We collect it from our CCTV, telemetry and other geo-tracking systems;
•   We enter into a contractual relationship with you; and,
•   We collect it from third parties such as business information databases.

What information we collect

We only collect Personal Data that we know we will genuinely use and in accordance with the Data Protection Legislation. The type of Personal Data that we will collect on you will depend on whether you are: a user of this website; an employee of Lavendon Group Limited’s Affiliates, Customers, or Service Providers; a member of the public; or any other individual:

Website User†

•   Your name or username, where relevant;
•   Your contact information (email address);
•   Your Contact Us form responses;
•   Your Usage Data (e.g., your IP address); and,
•   Cookies and Tracking Technologies;

Employees of Lavendon Group Limited’s Affiliates, Clients, or Service Providers

•   Your name;
•   Your date of birth;
•   Your contact information (telephone number, email address, or mailing address);
•   Your employment details;
•   Your training details (e.g., IPAF information);
•   Audio-visual recordings of your actions or behaviour, where relevant.
•   Where relevant, your pseudonymised unique identification number(s) (e.g., payroll no.);
•   Where relevant, your financial information (e.g., bank information);
•   Where relevant, your Right to Work information (e.g., nationality); and,
•   Where relevant, your health data (e.g., sick leave information).

Member of the public†

• Your likeness; and,
• Audio-visual recordings of your actions or behaviour, where relevant.

Other Individual†

• Your name; and,
• Your contact details, where required.

† You are under no statutory or contractual requirement or obligation to provide us with your Personal Data; however, we require at least the information above in order for us to process your Request, deliver our Service, or take reasonable technical and organisational measures to ensure the security of our information assets.

How we use your information

We will only process your Personal Data when the law allows us to do so. Where possible, we will have provided you with our lawful basis for processing your Personal Data at the point the information was initially collected from you. We will not store, process, or transfer your data unless we have an appropriate lawful reason to do so.

Under Data Protection Legislation, the lawful bases we rely on for processing your information are:

•   GDPR Article 6(1)(a) – your consent;*
•   GDPR Article 6(1)(b) – We have a contractual obligation;
•   GDPR Article 6(1)(c) – We have a legal obligation;
•   GDPR, Article 6(1)(d) – In order to protect the vital interests of You or a third party;
•   GDPR, Article 6(1)(e) – We have a public interest; or,
•   GDPR, Article 6(1)(f) – We have a legitimate interest.

* Where the lawful basis for processing is Consent, you are able to remove your consent at any time. You can do this by contacting our DPO using the contact details provided in the Contact Us section below.

We may use your information for the following purposes:

Processing Activity	Lawful Basis
Where you are an employee of Lavendon Group Limited’s Affiliates, to collect information from you and make available our services to you	Contractual Obligation
Where you are an employee of Lavendon Group Limited’s Customers, to collect information from you or your employer and make available our services to your employer	Legitimate Interest in managing our contractual relationships with our Customers
Where you are an employee of Lavendon Group Limited’s Customers, to collect information from you, to collect orders, to take payment from you, make a payment to you, give you a refund or request a refund	Contractual Obligation
Where you are an employee of Lavendon Group Limited’s Customers, to collect information from you or your employer and liaise with your employer about your contact details and/or the nature and performance of your work, as required	Legitimate Interest in managing our contractual relationships with our Customers
Where you are an employee of Lavendon Group Limited’s Service Providers, to collect information from you or your employer and make available our services to your employer	Legitimate Interest in managing our contractual relationships with our Service Providers
Where you are an employee of Lavendon Group Limited’s Service Providers, to collect information from you and take payment from you, make a payment to you, give you a refund or request a refund	Contractual Obligation
Where you are an employee of Lavendon Group Limited’s Service Providers, to collect information from you or your employer and liaise with your employer about your contact details and/or the nature and performance of your work, as required	Legitimate Interest in managing our contractual relationships with our Service Providers
To collect information from you in order to monitor, provide and maintain our Service	Legitimate Interest in providing a Service to You
To contact you following your enquiry where you have provided your contact information and to reply to any questions, suggestions, issues, or complaints, including any Data Subject Requests, about which you have contacted us	Legitimate Interest in responding to Your enquiry
To collect your Usage Data in order to power our security measures and services so you can safely access our website and other Services	Legitimate Interest in maintaining secure systems
To contact you, where you have provided your contact information, about news and information relating to our Services through service messages	Legitimate Interest in contacting You about our Services
B2B direct marketing to you, where you have provided your contact information, about products and services from us where you are classified as a corporate subscriber and/or the ‘soft opt-in’ applies under UK PEB2B direct marketing to you, where you have provided your contact information, about products and services from us where you are a sole trader, partnership or otherwise classified as an individual subscriber and/or the ‘soft opt-in’ does not apply under UK PECR	Consent
To retain any accounting information generated during the course of our interaction for statutory accountancy retention periods	Legal Obligation
To respond to and defend against legal claims, where you have provided us with information which may give rise to legal claims	Legal Obligation
To maintain a Closed-Circuit Television (CCTV) network of our various sites, vehicles, and other assets for security purposes	Legitimate Interest in securing our sites, vehicles, and assets
To ensure that vehicle and machine operators have received the appropriate training	Legitimate Interest in securing our vehicles and machines
To monitor the location of our vehicles and other assets	Legitimate Interest in securing our vehicles and assets
To review credit account requests from Limited Companies and use Credit Reference Agencies to aid decision	Contract
To review credit account requests from Sole Traders or Partnerships and use Credit Reference Agencies to aid decision	Contract

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Assessment for Credit

If you make a request for credit facilities we will use the data you have inputted on the request form as well doing verification checks for addresses using the electoral register (sole trader and partnerships) to enable Credit Reference Agencies to undertake the credit checks. You are responsible for ensuring that you supply us with information which is correct.

Credit Reference Agencies (CRAs)We will supply your business/ personal information to credit reference agencies (CRAs) and they will give us information about you, such as about your financial history. We do this to assess your creditworthiness, check your identity, manage your account and prevent criminal activity. These checks will have no impact on your credit history. There will only be a record that a soft search was undertaken.

If there is an issue with your credit score that prevents you from accessing credit, it is important to understand that the responsibility for rectifying the situation lies with the credit reporting agencies (CRAs) and not with Loxam Group. It means that you should contact the CRAs to address and resolve any discrepancies or errors affecting your credit score. Loxam Group does not have the authority or capability to directly rectify issues related to your credit score.

We use the following CRAs. Details of how the methods they use to give a credit score is available in the links below
Creditsafe; Consumer Credit Reports & Credit Checks | Creditsafe
Creditsafe Privacy Policy: gdpr-customer-briefing-v2 (1).pdf
Dun and Bradstreet: Dun & Bradstreet - Accelerate Growth and Improve Business Performance (dnb.co.uk)
Dun and Bradstreet Privacy Policy: Dun & Bradstreet Privacy Notice (dnb.co.uk)
Experian: Experian | Credit Scores, Reports & Credit Comparison
Experian Privacy Policy: Privacy and Your Data | Experian

The legal basis for undertaking these checks will be Contract for Limited Companies and Contract for Sole Traders or Partnerships

If you have queries or concerns please contact DPO@loxampad.com.

Who we share your information with

We may share your Personal Data with other organisations in the following circumstances:

•   From time to time, we may need to share your Personal Data with our strategic partners, such as Lavendon Group Limited’s Affiliates;
•   If the law or a public authority says we must share the Personal Data;
•   If we need to share Personal Data in order to establish, exercise or defend our legal rights – this includes providing Personal Data to others for the purposes of detecting and preventing fraud; or
•   From time to time, where we employ the services of other parties for dealing with certain processes necessary for the operation of our services.
We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:
•   Operations Data Processors, such as ServiceNow, Inc., our Instance Management solution;
•   Finance Data Processors, such as SalesForce, Inc., our Customer Relationship Management (CRM) service;
•   IT Processors, such as Microsoft, Inc., our IT Services solution; and,
•   Governance Processors, such as Bureau Veritas UK Limited, our vehicle inspection services provider.

We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us or further sub-processors who must comply with our Data Processor Agreement. They will hold your Personal Data securely and retain it for the period we instruct.

We will not sell your Personal Data under any circumstances.

How long we retain your information

We retain a record of your Personal Data in order to provide you with a high quality and consistent service. We will always retain your Personal Data in accordance with the Data Protection Legislation and never retain your information for longer than is necessary. Lavendon Group Limited follows a Retention Schedule which outlines how long Lavendon Group Limited will retain your Personal Data. Lavendon Group Limited considers the retention period to begin from the point at which Lavendon Group Limited last contacted you or otherwise reviewed your record to determine whether it was still active, unless otherwise required by law. As such, unless otherwise required by law, your data will be retained for the period specified in the summarised table below and then securely deleted in accordance with our internal policies and procedures.

Purpose	Retention Period
Processing Personal Data for the purposes of financial compliance with accountancy and tax standards	Life of customer/supplier relationship (last trading activity date and balance settlement – whichever is later) plus 6 years
Processing training data	5 years after the training course
Processing communications from You	2 years
Processing CCTV audio-visual images from our sites, vehicles, and other assets	6 months , unless we are obligated to retain it for a longer period by law
Processing Personal Data to establish, exercise, or defend against, legal claims	6 years, or as long as is required for the purposes relating to such claims
Processing data in relation to You as an employee, contractor or other associated party contracted by Lavendon Group Limited’s Affiliates	6 years following the termination of your employment
Processing data in relation to You as an employee, contractor or other associated party contracted by Lavendon Group Limited’s Customers	6 years following the termination of the Agreement between Lavendon Group Limited and the Customer
Processing data in relation to You as an employee, contractor or other associated party contracted by Lavendon Group Limited’s Service Providers	6 years following the termination of the Agreement between Lavendon Group Limited and the Service Provider
Processing data in relation to You as any other individual with whom Lavendon Group Limited may conduct commercial operations	6 years

How we secure your information

Data security is of great importance to Lavendon Group Limited. We have put in place appropriate technical and organisational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorised way, altered, or disclosed.

We take security measures to protect your information including:

•   Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies);
•   Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law;
•   Implementing access controls to our information technology; and,
•   Deploying appropriate procedures and technical security measures (including strict encryption, anonymisation and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.
Further information on our security measures can be found in Lavendon Group Limited’s Information Security Policies.

How we use cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service.

You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.

We use both session and persistent Cookies for the purposes set out below:

Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Functionality Cookies
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.

Tracking and Performance Cookies
Type: Persistent Cookies
Administered by: Third-Parties
Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features, or functionality of the Website to see how our users react to them.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en

For more information, please visit our cookie policy here: https://www.nationwideplatforms.co.uk/en-gb/cookie-policy

Closed circuit television

This section explains how we regulate the management, operation and use of the closed-circuit television (CCTV) systems at our depots. It also covers vehicle cameras and Body Wear Devices (BWD) that may be used from time to time.

Please note that this Privacy Notice only addresses CCTV cameras, vehicle cameras, and bodycams owned and operated by Lavendon Group Limited; it does not cover CCTV cameras, vehicle cameras, and bodycams owned and operated by other entities, including any private landowners or industrial estates that operate their own systems. For information about these systems, please visit the relevant Privacy Notices for those legal entities.

The system will vary from depot to depot. It usually comprises several fixed cameras located throughout the depot.

Cameras are linked to a dedicated system per depot. Access to this system is restricted to the senior managers and contracted third party security monitoring companies. This is indicated on the signage at each location.

The objectives of the use of CCTV are:

•   To help protect our buildings and equipment;
•   To support the police to deter and detect crime;
•   To assist in identifying, apprehending, and prosecuting offenders; and,
•   To assist in investigation of health and safety matters

The CCTV Scheme has been registered with the Information Commissioner and complies with the requirements of the Data Protection Act 2018 and the Surveillance Commissioner's Code of Practice. We will treat the system and all information, documents and recordings obtained and used as data protected by the Act.

Cameras will be used to monitor activities within the depot grounds near the access gates to identify adverse activity occurring, anticipated, or perceived.

Static cameras are positioned to ensure they do not focus on private homes, gardens, and other areas of private property. At no time will a camera be directed to follow or track an individual. All currently deployed cameras are fixed.

Images will only be released for specific, legitimate purposes including:

•   Use in the investigation of a specific crime and with the written authority of the police;
•   Use in the investigation of a health and safety incident; and,
•   Use in a complaint or grievance procedure.

Images will not be released to the media for purposes of entertainment.

The planning and design has endeavoured to ensure that the CCTV Scheme will give maximum effectiveness and efficiency within available means, but it is not possible to guarantee that the system will cover or detect every single incident taking place in the areas of coverage.

Warning signs, as required by the Code of Practice of the Information Commissioner, have been placed at all access routes to areas covered by the depot’s CCTV system.

Requests by the police can only be authorised for statutory or other legal compliance. The police may require Lavendon Group Limited to retain any stored images for possible use as evidence in the future. Such images will be properly indexed and securely stored until the police need them.

Applications received from outside bodies (such as solicitors) to view or release footage will be referred to the Data Protection Officer. In these circumstances, images will normally be released where satisfactory documentary evidence is produced showing that they are required for legal proceedings, or in response to a court order.

International Transfers

Your Personal Data is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. This means that this information may be transferred to Devices located outside of Your state, province, country, or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction. Where this occurs, Lavendon Group Limited will ensure that:

•   the security and confidentiality of your Personal Data is secure at all times;
•   any Data Controller receiving your Personal Data has entered into an agreement with Lavendon Group Limited which contains standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer; and,
•   any Data Processor receiving your Personal Data has entered into an agreement with Lavendon Group Limited which contains the required Data Processor clauses as well as standard data protection clauses as required by UK and/or EU GDPR or there is an alternative appropriate safeguard in place governing the transfer.

Where you are based in the UK or EU and we were required to transfer your Personal Data out of the UK or EU to countries not deemed by the ICO or European Commission (as relevant) to provide an adequate level of Personal Data protection, the transfer will be based on safeguards that allow us to conduct the transfer in accordance with the Data Protection Legislation, such as the specific contracts containing standard data protection clauses approved by the ICO or European Commission (as relevant) providing adequate protection of Personal Data.

What happens if our business changes hands?

We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any Personal Data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.

Communication

Where you are an employee of Lavendon Group Limited’s Affiliates, Customers, or Service Providers, a user of this website who has provided us with your contact information, or any other business contact, we may send you relevant news about our services. Where these messages provide information regarding Your use of the Services, Lavendon Group Limited has a Legitimate Interest in providing You with these ‘service messages’.

Where these messages promote Lavendon Group Limited’s products and services, including by email, we will only contact you if we have a Legitimate Interest to do so. Where we do not have a Legitimate Interest, we will not send you direct marketing communications unless we have asked for, and received, your consent.

We make every effort to ensure that we only send such communications to those acting in a business capacity and do not send such materials to consumers via personal email addresses if it is clear they are not acting in such a capacity or have not otherwise provided their consent.

All email marketing communications will have an option to unsubscribe and so if you wish to amend your marketing preferences, you can do so by following the link in the email and updating your preferences. Alternatively, you can contact our DPO using the contact details provided in the Contact Us section below.

External Websites

When using our website and other Services, you may be able to share information through social networks like Facebook and Twitter. For example, when you ‘like’, ‘share’ or review our Services. When doing this, your Personal Data may be visible to the providers of those social networks and/or their other users. Lavendon Group Limited takes no responsibility for how your Personal Data is processed on any external websites, and this Privacy Notice does not cover this processing activity. For more information, please view the Privacy Notice of the external website in question. Please remember it is your responsibility to set appropriate privacy settings on your social network accounts so you are comfortable with how your information is used and shared on them.

Your information rights

The right to be informed about our collection and use of Personal Data

You have the right to be informed about the collection and use of your Personal Data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

Right to Access Your Personal Data

You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed.

We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.